From owner-freebsd-security@FreeBSD.ORG Sun Jul 30 03:13:25 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0148816A4E6 for ; Sun, 30 Jul 2006 03:13:25 +0000 (UTC) (envelope-from ueda@netforest.ad.jp) Received: from kiku.netforest.co.jp (kiku.netforest.co.jp [218.45.16.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6C9DF43D4C for ; Sun, 30 Jul 2006 03:13:22 +0000 (GMT) (envelope-from ueda@netforest.ad.jp) Received: (qmail 31315 invoked from network); 30 Jul 2006 12:13:21 +0900 Received: from 218-45-20-121.flets.kamome.or.jp (HELO [192.168.0.192]) (SubmissionBy:ueda@[218.45.20.121]) (envelope-sender ) by kiku.netforest.co.jp (qmail-ldap-1.03) with RC4-MD5 encrypted SMTP for ; 30 Jul 2006 12:13:20 +0900 Date: Sun, 30 Jul 2006 12:13:22 +0900 From: =?ISO-2022-JP?B?GyRCPyJFRBsoQiAbJEJNNUc3GyhC?= To: Sergey Matveychuk In-Reply-To: <44CBBBDC.70409@FreeBSD.org> References: <20060729180904.GA90113@picobyte.net> <44CBBBDC.70409@FreeBSD.org> Message-Id: <20060730114238.F96A.UEDA@netforest.ad.jp> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-2022-JP" Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver. 2.25.01 [ja] X-Mailman-Approved-At: Sun, 30 Jul 2006 05:30:29 +0000 Cc: Joel Hatton , ports@freebsd.org, Remko Lodder , freebsd-security@freebsd.org, Shaun Amott Subject: Re: Ruby vulnerability? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Jul 2006 03:13:25 -0000 Dear Sirs, > CVE report is very unpleasant: "Multiple unspecified vulnerabilities". > Secunia has more professional report. > > RedHat is only vendor who released updates, but they are binary. So, > there is no known fix now. Following information maybe help you: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=378029 But matz(ruby creator) has not mentioned about this yet. And he has said that he has no will to release patch for the vulnerabilites. http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-list/42575 The message is in Japanese and the content is as follows. At present, a patch for these vulnerabilites is not ready because the problems occur only with $SAFE=4. So the vulnerabilities will be serious only when alll the following conditions are satisfied. * You use $SAFE=4 sandbox * You run untrusted codes > I hope ruby team will release 1.8.5 ASAP. On 18th July, ruby 1.8.5 preview2 was released and release date of 1.8.5 will be near middle of August if they works on schedule. Best regards. ----- UEDA Hiroyuki From owner-freebsd-security@FreeBSD.ORG Sun Jul 30 09:10:18 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C00C716A4DD; Sun, 30 Jul 2006 09:10:18 +0000 (UTC) (envelope-from sem@FreeBSD.org) Received: from mail.ciam.ru (ns.ciam.ru [213.247.195.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 59EB843D45; Sun, 30 Jul 2006 09:10:16 +0000 (GMT) (envelope-from sem@FreeBSD.org) Received: from [87.240.16.199] (helo=[192.168.0.4]) by mail.ciam.ru with esmtpa (Exim 4.x) id 1G77JJ-000FCa-KY; Sun, 30 Jul 2006 13:10:09 +0400 Message-ID: <44CC7751.5070704@FreeBSD.org> Date: Sun, 30 Jul 2006 13:09:37 +0400 From: Sergey Matveychuk User-Agent: Thunderbird 1.5.0.5 (X11/20060729) MIME-Version: 1.0 To: =?ISO-2022-JP?B?GyRCPyJFRBsoQiAbJEJNNUc3GyhC?= References: <20060729180904.GA90113@picobyte.net> <44CBBBDC.70409@FreeBSD.org> <20060730114238.F96A.UEDA@netforest.ad.jp> In-Reply-To: <20060730114238.F96A.UEDA@netforest.ad.jp> Content-Type: text/plain; charset=ISO-2022-JP Content-Transfer-Encoding: 7bit Cc: Joel Hatton , ports@freebsd.org, Remko Lodder , Shaun Amott , freebsd-security@freebsd.org Subject: Re: Ruby vulnerability? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Jul 2006 09:10:18 -0000 植田 裕之 wrote: > Dear Sirs, > > >> CVE report is very unpleasant: "Multiple unspecified vulnerabilities". >> Secunia has more professional report. >> >> RedHat is only vendor who released updates, but they are binary. So, >> there is no known fix now. > > Following information maybe help you: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=378029 > Good. There is three patches there. I'll test if they fix the vulnerabilities. -- Dixi. Sem. From owner-freebsd-security@FreeBSD.ORG Sun Jul 30 13:43:04 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F74F16A4DD; Sun, 30 Jul 2006 13:43:04 +0000 (UTC) (envelope-from sem@FreeBSD.org) Received: from mail.ciam.ru (ns.ciam.ru [213.247.195.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB93A43D46; Sun, 30 Jul 2006 13:43:03 +0000 (GMT) (envelope-from sem@FreeBSD.org) Received: from [87.240.16.199] (helo=[192.168.0.4]) by mail.ciam.ru with esmtpa (Exim 4.x) id 1G7BZM-000J0f-EU; Sun, 30 Jul 2006 17:43:00 +0400 Message-ID: <44CCB743.8040209@FreeBSD.org> Date: Sun, 30 Jul 2006 17:42:27 +0400 From: Sergey Matveychuk User-Agent: Thunderbird 1.5.0.5 (X11/20060729) MIME-Version: 1.0 To: Sergey Matveychuk References: <20060729180904.GA90113@picobyte.net> <44CBBBDC.70409@FreeBSD.org> <20060730114238.F96A.UEDA@netforest.ad.jp> <44CC7751.5070704@FreeBSD.org> In-Reply-To: <44CC7751.5070704@FreeBSD.org> Content-Type: text/plain; charset=ISO-2022-JP Content-Transfer-Encoding: 7bit Cc: ports@freebsd.org, Joel Hatton , freebsd-security@freebsd.org, Shaun Amott , Remko Lodder Subject: Re: Ruby vulnerability? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Jul 2006 13:43:04 -0000 Sergey Matveychuk wrote: > Good. There is three patches there. > I'll test if they fix the vulnerabilities. > FYI The fixes was committed. -- Dixi. Sem. From owner-freebsd-security@FreeBSD.ORG Sun Jul 30 13:44:57 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5AE8216A508; Sun, 30 Jul 2006 13:44:57 +0000 (UTC) (envelope-from remko@freebsd.org) Received: from caelis.elvandar.org (caelis.elvandar.org [217.148.169.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30F7743D64; Sun, 30 Jul 2006 13:44:50 +0000 (GMT) (envelope-from remko@freebsd.org) Received: from localhost (caelis.elvandar.org [217.148.169.59]) by caelis.elvandar.org (Postfix) with ESMTP id 2F54992FD60; Sun, 30 Jul 2006 15:44:49 +0200 (CEST) Received: from caelis.elvandar.org ([217.148.169.59]) by localhost (caelis.elvandar.org [217.148.169.59]) (amavisd-new, port 10024) with ESMTP id 75222-09; Sun, 30 Jul 2006 15:44:48 +0200 (CEST) Message-ID: <44CCB7D1.7010905@FreeBSD.org> Date: Sun, 30 Jul 2006 15:44:49 +0200 From: Remko Lodder User-Agent: Thunderbird 1.5.0.5 (Macintosh/20060719) MIME-Version: 1.0 To: Sergey Matveychuk References: <20060729180904.GA90113@picobyte.net> <44CBBBDC.70409@FreeBSD.org> <20060730114238.F96A.UEDA@netforest.ad.jp> <44CC7751.5070704@FreeBSD.org> <44CCB743.8040209@FreeBSD.org> In-Reply-To: <44CCB743.8040209@FreeBSD.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by the elvandar.org maildomain X-Mailman-Approved-At: Sun, 30 Jul 2006 14:56:11 +0000 Cc: Joel Hatton , ports@freebsd.org, freebsd-security@freebsd.org, Shaun Amott Subject: Re: Ruby vulnerability? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: remko@FreeBSD.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Jul 2006 13:44:57 -0000 Sergey Matveychuk wrote: > Sergey Matveychuk wrote: >> Good. There is three patches there. >> I'll test if they fix the vulnerabilities. >> > > FYI The fixes was committed. > Thanks a lot for the work Sergey! -- Kind regards, Remko Lodder ** remko@elvandar.org FreeBSD ** remko@FreeBSD.org /* Quis custodiet ipsos custodes */ From owner-freebsd-security@FreeBSD.ORG Sun Jul 30 15:47:38 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E74AE16A4DD; Sun, 30 Jul 2006 15:47:38 +0000 (UTC) (envelope-from steinex@nognu.de) Received: from shodan.nognu.de (shodan.nognu.de [85.14.216.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6D13A43D55; Sun, 30 Jul 2006 15:47:35 +0000 (GMT) (envelope-from steinex@nognu.de) Received: by shodan.nognu.de (Postfix, from userid 1002) id 83EE6B828; Sun, 30 Jul 2006 17:47:33 +0200 (CEST) Date: Sun, 30 Jul 2006 17:47:33 +0200 From: Frank Steinborn To: Shaun Amott Mail-Followup-To: Shaun Amott , Joel Hatton , ports@freebsd.org, freebsd-security@freebsd.org References: <200607280503.k6S53hmW007056@app.auscert.org.au> <20060729163453.GA89895@picobyte.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060729163453.GA89895@picobyte.net> User-Agent: mutt-ng/devel-r804 (FreeBSD) Message-Id: <20060730154733.83EE6B828@shodan.nognu.de> Cc: Joel Hatton , ports@freebsd.org, freebsd-security@freebsd.org Subject: Re: Ruby vulnerability? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Jul 2006 15:47:39 -0000 Shaun Amott wrote: > On Fri, Jul 28, 2006 at 03:03:43PM +1000, Joel Hatton wrote: > > > > FYI, Red Hat released an advisory today about a vulnerability in Ruby. So > > far it doesn't appear in the VuXML, but am I correct in presuming it will > > soon? > > > > I've added it; thanks for the report. Hmm, i saw the flaw with "portaudit -Fda" yesterday, however - today my ruby isn't shown as vulnerable anymore. Why? Frank From owner-freebsd-security@FreeBSD.ORG Sun Jul 30 18:10:33 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D6C0116A4E0; Sun, 30 Jul 2006 18:10:33 +0000 (UTC) (envelope-from bsd-unix@earthlink.net) Received: from pop-satin.atl.sa.earthlink.net (pop-satin.atl.sa.earthlink.net [207.69.195.63]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8BFA543D46; Sun, 30 Jul 2006 18:10:33 +0000 (GMT) (envelope-from bsd-unix@earthlink.net) Received: from fl-71-54-28-212.dhcp.embarqhsd.net ([71.54.28.212] helo=kt.weeeble.com) by pop-satin.atl.sa.earthlink.net with smtp (Exim 3.36 #1) id 1G7FkA-0005mW-00; Sun, 30 Jul 2006 14:10:26 -0400 Date: Sun, 30 Jul 2006 14:13:24 -0400 From: Randy Pratt To: Frank Steinborn Message-Id: <20060730141324.188a4a8e.bsd-unix@earthlink.net> In-Reply-To: <20060730154733.83EE6B828@shodan.nognu.de> References: <200607280503.k6S53hmW007056@app.auscert.org.au> <20060729163453.GA89895@picobyte.net> <20060730154733.83EE6B828@shodan.nognu.de> X-Mailer: Sylpheed version 2.2.6 (GTK+ 2.8.20; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sun, 30 Jul 2006 19:07:48 +0000 Cc: freebsd@auscert.org.au, ports@freebsd.org, freebsd-security@freebsd.org, shaun@FreeBSD.org Subject: Re: Ruby vulnerability? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Jul 2006 18:10:33 -0000 On Sun, 30 Jul 2006 17:47:33 +0200 Frank Steinborn wrote: > Shaun Amott wrote: > > On Fri, Jul 28, 2006 at 03:03:43PM +1000, Joel Hatton wrote: > > > > > > FYI, Red Hat released an advisory today about a vulnerability in Ruby. So > > > far it doesn't appear in the VuXML, but am I correct in presuming it will > > > soon? > > > > > > > I've added it; thanks for the report. > > Hmm, i saw the flaw with "portaudit -Fda" yesterday, however - today > my ruby isn't shown as vulnerable anymore. Why? I show it as a vulnerability here. It could be that you may have gotten your last update from a server that hasn't caught up yet. Try running it again and see if that helps. Randy -- From owner-freebsd-security@FreeBSD.ORG Sun Jul 30 19:11:13 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6161116A4DD; Sun, 30 Jul 2006 19:11:13 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 411E343D73; Sun, 30 Jul 2006 19:11:03 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id 129262D6B66; Sun, 30 Jul 2006 19:11:02 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id B1DC91141D; Sun, 30 Jul 2006 21:11:01 +0200 (CEST) Date: Sun, 30 Jul 2006 21:11:01 +0200 From: "Simon L. Nielsen" To: Shaun Amott , Joel Hatton , ports@freebsd.org, freebsd-security@freebsd.org Message-ID: <20060730191100.GI1116@zaphod.nitro.dk> References: <200607280503.k6S53hmW007056@app.auscert.org.au> <20060729163453.GA89895@picobyte.net> <20060730154733.83EE6B828@shodan.nognu.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060730154733.83EE6B828@shodan.nognu.de> User-Agent: Mutt/1.5.11 Cc: Subject: Re: Ruby vulnerability? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Jul 2006 19:11:13 -0000 On 2006.07.30 17:47:33 +0200, Frank Steinborn wrote: > Shaun Amott wrote: > > On Fri, Jul 28, 2006 at 03:03:43PM +1000, Joel Hatton wrote: > > > > > > FYI, Red Hat released an advisory today about a vulnerability in Ruby. So > > > far it doesn't appear in the VuXML, but am I correct in presuming it will > > > soon? > > > > > > > I've added it; thanks for the report. > > Hmm, i saw the flaw with "portaudit -Fda" yesterday, however - today > my ruby isn't shown as vulnerable anymore. Why? The database was broken for a bit due to an invalid entry, try again now. -- Simon L. Nielsen From owner-freebsd-security@FreeBSD.ORG Sun Jul 30 23:09:28 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8EF716A4DA for ; Sun, 30 Jul 2006 23:09:28 +0000 (UTC) (envelope-from brett@lariat.net) Received: from lariat.net (lariat.net [65.122.236.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC02143D46 for ; Sun, 30 Jul 2006 23:09:27 +0000 (GMT) (envelope-from brett@lariat.net) Received: from Anne (IDENT:ppp1000.lariat.net@lariat.net [65.122.236.2]) by lariat.net (8.9.3/8.9.3) with ESMTP id RAA04365; Sun, 30 Jul 2006 17:09:04 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <7.0.1.0.2.20060730165700.0948e898@lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.0.1.0 Date: Sun, 30 Jul 2006 17:08:38 -0600 To: Jonathan M Bresler , Mike Tancsa From: Brett Glass In-Reply-To: <20060711170817.X94314@newgate.bresler.org> References: <77192.1152649343@critter.freebsd.dk> <20060711204521.80198.qmail@web30304.mail.mud.yahoo.com> <6.2.3.4.0.20060711165223.04bce500@64.7.153.2> <20060711170817.X94314@newgate.bresler.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Mailman-Approved-At: Mon, 31 Jul 2006 00:02:16 +0000 Cc: freebsd-security@freebsd.org, Poul-Henning Kamp , "R. B. Riddick" Subject: Re: Integrity checking NANOBSD images X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Jul 2006 23:09:28 -0000 At 03:22 PM 7/11/2006, Jonathan M Bresler wrote: >If the box is subject to tampering and not in a tamper-proof container, >then it may be impossible to know whether or not the device has been >tampered with or modified. It's true. Any attacker with sufficient knowledge of what you were doing and sufficient motivation could spoof the correct response. And of course relying upon the attacker not knowing what you're doing is "security by obscurity," which often works but might not provide the level of confidence you want. It occurs to me that there are two ways to deal with this sort of problem. One way is to make it unrewarding for the attacker to hack the boxes. The other is to make it too logistically difficult for the attacker to bother. For example, you could have two or more boxes in the same area checking one another in a sort of "tag team" arrangement. The communications links from all of them back to you might be slow, but the links between them could be lightning fast. If something odd happened (e.g. one of them suddenly did not respond or acted funny even for a millisecond) one or more of them could sound the alarm. The expense and difficulty of hacking them all simultaneously would go up exponentially with the number of "team mates." --Brett Glass